← Docs

Recipe: BYOK (bring your own key) architecture

Deploy Meridian with keys you control. No shared secrets, no vendor custody.

Overview

BYOK mode lets you supply your own Ed25519 keypair. Meridian signs nothing without your key. The loader validates payloads against your public key baked at build time.

Key generation

openssl genpkey -algorithm ed25519 -out meridian_private.pem

Build pipeline

  1. Store the private key in your CI secrets vault.
  2. Pass MERIDIAN_SIGNING_KEY to the sign stage.
  3. The public key is embedded in the loader at compile time.
  4. Payloads are signed during CI; unsigned payloads are rejected at runtime.

Runtime flow

  • Loader self-verifies its embedded public key hash.
  • Fetches payload from your CDN.
  • Validates Ed25519 signature before mapping into memory.
  • Aborts if signature mismatch or key tamper detected.

Your key, your custody. Meridian never sees the private key.